';
$jobs = Record::query($full_query);
$stmt = Record::getConnection()->prepare($full_query);
$stmt->execute();
$rowspage = 20;
//number of data per page
$start = $CurPage * $rowspage;
$jobs_count = $stmt->rowCount();
$totalrecords = $jobs_count;
$lastpage = ceil($totalrecords / $rowspage);
if ($jobs_count <= $rowspage) {
$lastpage = 0;
} else {
$lastpage = abs($lastpage - 1);
}
$jobs = Record::query($full_query . ' LIMIT ' . $start . ',' . $rowspage);
// $jobs= Record::query($full_query);
if ($jobs_count > 0) {
while ($job = $jobs->fetchObject()) {
$quota_left = intval($job->quota - $job->total_assign);
$quota_left = max($quota_left, 0);
$job_start_datetime = strtotime($job->job_date . ' ' . $job->time_in);
$close_secs = $job->close_hour * 3600;
//Convert hour to seconds
$job_expired_time = $job_start_datetime - $close_secs;
$green_cls = '';
if ($job->is_assigned) {
$green_cls = 'green';
$apply_btn = '';
} else {
if ($quota_left == 0 || strtotime(date("Y-m-d H:i")) > $job_expired_time) {
public function getData($id)
{
global $pawUsers;
// VALIDATE
if (!is_integer($id)) {
return false;
}
// SELECT AND RETURN
$query = "SELECT * FROM " . TABLE_PREFIX . "blacklist WHERE id=:id";
$query = Record::query($query, array(":id" => $id));
if (!empty($query)) {
foreach ($query as $q) {
$user = $pawUsers->getUser($q->author, "id");
$q->author = $user->name;
$q->settings = paw_unserializer($q->settings);
return (array) $q;
}
}
return false;
}
public function getMeta($data, $key, $single = false, $default = false)
{
global $pawUsers;
$data = paw_xss_cleaner($data);
$key = paw_xss_cleaner($key);
// GET USER
if (($user = $pawUsers->getUser($data)) === false) {
return $default;
}
// CHECK IF EXISTS
$query = "SELECT * FROM " . TABLE_PREFIX . "user_meta WHERE user_id=" . $user->id . " AND meta_key=:key";
$query = Record::query($query, array(":key" => $key));
if (empty($query)) {
return $default;
}
// RETURN RESULT
$return = array();
foreach ($query as $line) {
$line->meta_value = paw_unserializer($line->meta_value);
if ($line->meta_unique == 1) {
if ($single === true) {
return $line->meta_value;
} else {
return $line;
}
}
if ($single === true) {
return $line->meta_value;
} else {
$return[] = $line;
}
}
return $return;
}
$asn->find();
$rec = new Record();
$rec->aid = $_POST['aid'];
$rec->uid = $asn->rid;
$rec->date = parse_date($_POST);
$rec->hours = $_POST['hours'];
$rec->materials = $_POST['materials'];
$rec->cost = str_replace('$', '', $_POST['cost']);
$rec->insert();
} else {
if (!empty($_POST['id'])) {
$rec = new Record();
$date = parse_date($_POST);
$cost = str_replace('$', '', $_POST['cost']);
$query = 'UPDATE record ' . "SET date='{$date}', " . "hours={$_POST['hours']}, " . "materials='{$_POST['materials']}', " . "cost={$cost} " . "WHERE id={$_POST['id']}";
$rec->query($query);
}
}
}
// Initialize values!
$aid = isset($_GET['aid']) ? $_GET['aid'] : '';
$id = isset($_GET['id']) ? $_GET['id'] : '';
$requestor = '';
$requestor_phone = '';
$deadline = '';
$description = '';
$hours = '';
$materials = '';
$cost = '';
if ($aid) {
$asn = new Assign();
<?php
$post_in_item = array('CART_media');
?>
<input id="post_in_tables" name="post_in_tables" type="hidden" value="<?php
echo str_replace(' ', '', implode(',', $post_in_item));
?>
" />
<input id="post_in_prod" name="post_in_prod" type="hidden" value="<?php
echo $prod['id'];
?>
" />
<?php
$i = 0;
$imgdb = Record::query("select * from CART_media where pid = '" . $prod['id'] . "' order by priority");
while ($img = $imgdb->fetch(PDO::FETCH_ASSOC)) {
if ($i == 0) {
echo '<h3>' . __('Edit Media Gallery for ') . $prod['name'] . '</h3>';
}
$i++;
?>
<input id="post_in_item" name="post_in_item[]" type="hidden" value="<?php
echo $img['id'];
?>
" />
<input id="url" name="url[<?php
echo $img['id'];
?>
]" type="hidden" value="<?php
public function save_album_order()
{
$album_array = $_POST['album_id'];
$order_array = $_POST['order'];
// $gallery = new Gallery;
foreach ($album_array as $key => $value) {
$album_id = $value;
$album_order = $order_array[$key];
Record::query("Update wolf_album SET sequence='" . $album_order . "' WHERE id='" . $album_id . "'");
}
Flash::set('success', __('This album sequence has been saved.'));
redirect(get_url('gallery'));
}
echo $sh->enum_to_select("SHOW FIELDS FROM CART_orders where field = 'status'", $ord['order_id'], $ord['status']);
?>
</p>
</div>
<div class="half-r">
<p>Products ordered: </p>
<br />
<p class="table_row table_header">
<span>Product #</span>
<span>Name</span>
<span>Sold Price/each</span>
<span>Qty</span>
</p>
<?php
$order_prod = Record::query("select * from CART_order_product\n left join CART_products on CART_products.id = CART_order_product.product_id\n where order_id = " . $ord['order_id']);
while ($o = $order_prod->fetch(PDO::FETCH_ASSOC)) {
$order_total += $o['sold_price'] * $o['quantity'];
echo " \n <p class=\"table_row\">\n <span>" . $o['product_id'] . "</span>\n <span title=\"full id: " . $o['product_options_full_id'] . "\">" . ucwords($o['product_options_full_name']) . "</span>\n <span>\$" . $o['sold_price'] . "</span>\n <span>" . $o['quantity'] . "</span>\n </p>\n ";
}
?>
<br />
<?php
if ($ord['coupon']) {
echo "<p><b>Coupon code: </b>" . ucwords($ord['coupon']) . "</p>";
}
?>
<?php
if ($ord['payment_confirmation']) {
public function view()
{
$this->_checkPermission();
$paths = func_get_args();
$id = urldecode(join('/', $paths));
$mysidebarlink = Record::query('select * from ' . TABLE_PREFIX . 'sidebarlink where id="' . $id . '"');
$sidebarlink = $mysidebarlink->fetchObject();
$this->display('sidebarlink/view', array('sidebarlink' => $sidebarlink, 'pages' => Record::findAllFrom('Page', 'parent_id=1 OR parent_id=0 order by parent_id,position')));
}
public function save_category_order()
{
$news_array = $_POST['news_category_id'];
$order_array = $_POST['order'];
foreach ($news_array as $key => $value) {
$news_id = $value;
$news_order = $order_array[$key];
$cat = Record::query('Update ' . TABLE_PREFIX . 'newscategory set sequence=' . $news_order . ' where id="' . $news_id . '"');
$cat->execute();
}
Flash::set('success', __('This news category sequence has been saved.'));
redirect(get_url('news'));
}
} else {
if (!preg_match("/^[_a-z0-9-]+(\\.[_a-z0-9-]+)*@[a-z0-9-]+(\\.[a-z0-9-]+)*(\\.[a-z]{2,3})\$/i", $login_email)) {
$error = "invalidemail";
} else {
$employee = new Employee();
if ($employee->countFrom('Employee', 'email = "' . $login_email . '" AND NRIC = "' . $login_nric . '"') > 0) {
$employee = $employee->findOneFrom('Employee', 'email="' . $login_email . '" AND NRIC = "' . $login_nric . '"');
if ($employee->suspended || !$employee->validate) {
$error = "invalidstatus";
} else {
$employee_id = $employee->employee_id;
$employee_email = $employee->email;
$rand_pass = substr(md5(uniqid()), 0, 6);
$encrypt_pass = md5($rand_pass);
// $encrypted = md5(mktime());
$employee = Record::query('UPDATE ' . TABLE_PREFIX . 'employee set password="******" WHERE employee_id = "' . $employee_id . '"');
//Send reset password email to employee
$users = new User();
$user = $users->findOneFrom('User', 'id=1');
$emailTo = $user->email;
//Admin Email
$subject = "[CONA] New Login Password";
$content = "You have recently requested a new password,<br />";
$content .= "Please find your new password: "******"<br /><br />";
// $content .= "For security purposes, we ask you to confirm your email address before we can proceed with resetting your password.<br />";
// $content .= "Click here to confirm your email address > <a href='".URL_PUBLIC."reset-password?id=".$employee_id."&ref=".$encrypted."'>Reset Link</a><br /><br />";
// $content .= "In case the link does not work, please copy and paste the following into your browser address bar:<br />";
// $content .= URL_PUBLIC."reset-password?id=".$employee_id."&ref=".$encrypted." <br /><br />";
$content .= "For changes or enquiries, please contact us at xxxx@cona.com.";
$headers = 'From: CONA <' . $emailTo . '>' . "\r\n";
$headers .= 'Reply-To: ' . $emailTo . "\r\n";
$current_password = $_POST["current_password"];
$new_password = $_POST["new_password"];
$re_new_password = $_POST["re_new_password"];
//Compare entered password with current one
$encrypt_current_password = md5($current_password);
echo $encrypt_current_password;
if ($encrypt_current_password != $old_password) {
$status = "failed";
$msg = "Current password is not valid. Please enter again.";
} else {
if ($new_password != $re_new_password) {
$status = "failed";
$msg = "New password is not match.";
} else {
$enrypt_new_password = md5($new_password);
$employee = Record::query('UPDATE ' . TABLE_PREFIX . 'employee set password = "******" where employee_id="' . $employee_id . '"');
$status = "success";
}
}
redirect(get_url('employee/setting?status=' . $status . '&msg=' . $msg));
}
}
?>
<div id="employee-login" align=center>
<?php
if (isset($_GET['status1'])) {
if ($_GET['status1'] == 'success') {
echo '<p class="tbSuccess">Status: You had successfully updated your profile.</p>';
} else {
if (isset($_GET['msg1'])) {
public static function getCategoryName($id)
{
$category = Record::query('select title from ' . TABLE_PREFIX . 'newscategory WHERE id=' . $id);
return $category->fetchColumn();
}
public function edit_media()
{
$this->clean_post($_POST);
$tables = array();
$tables = isset($_POST['post_in_tables']) ? explode(',', str_replace(' ', '', $_POST['post_in_tables'])) : null;
if (!AuthUser::hasPermission('shopping_cart_edit') || empty($tables)) {
Flash::set('error', __('You are not allowed to perform this operation.'));
redirect(get_url('plugin/shopping_cart/'));
}
if (isset($_POST['post_in_item'])) {
foreach ($_POST['post_in_item'] as $k => $v) {
if (!isset($_POST['delete_image'][$v])) {
// update
Record::query(" UPDATE " . $tables[0] . " SET\n alt = '" . $_POST['alt'][$v] . "',\n width = '" . $_POST['width'][$v] . "',\n height = '" . $_POST['height'][$v] . "',\n detail_width = '" . $_POST['detail_width'][$v] . "',\n type = '" . $_POST['type'][$v] . "',\n status = '" . $_POST['status'][$v] . "',\n priority = '" . $_POST['priority'][$v] . "'\n WHERE id = '{$v}'\n ");
} else {
Record::query("delete from " . $tables[0] . " where id = '{$v}' ");
unlink(FILES_DIR . '/../' . $_POST['url'][$v]);
}
}
}
if (isset($_FILES['new_url']['name'][0]) && !empty($_FILES['new_url']['name'][0])) {
$new_image_name = array();
foreach ($_FILES['new_url']['name'] as $k => $v) {
$new_image_name[$k] = $this->_upload_file($_FILES['new_url']['name'][$k], FILES_DIR . '/../' . $this->product_image_folder, $_FILES['new_url']['tmp_name'][$k]);
Record::query("INSERT INTO " . $tables[0] . " (pid, url, alt, width, type, status, priority) VALUES (" . $_POST['post_in_prod'] . ", '" . $this->product_image_folder . $new_image_name[$k] . "', '" . $_POST['new_alt'][$k] . "', '" . $_POST['new_width'][$k] . "', '" . $_POST['new_type'][$k] . "', '" . $_POST['new_status'][$k] . "', " . $_POST['new_priority'][$k] . ")");
}
}
Flash::set('success', __('Product media has been saved.'));
redirect(get_url("plugin/shopping_cart"));
}
if (strlen($signature) > 0) {
$signature_filename = md5(uniqid(rand(), true)) . '.png';
generateBase64Image($signature, $upload_path . 'signature/' . $signature_filename);
}
if (strlen($profile_image) > 0) {
$profile_filename = md5(uniqid(rand(), true)) . '.png';
generateBase64Image($profile_image, $upload_path . 'profile/' . $profile_filename);
}
if (strlen($NRIC_front) > 0) {
$nricfront_filename = md5(uniqid(rand(), true)) . '.png';
generateBase64Image($NRIC_front, $upload_path . 'nric/' . $nricfront_filename);
}
if (strlen($NRIC_back) > 0) {
$nricback_filename = md5(uniqid(rand(), true)) . '.png';
generateBase64Image($NRIC_back, $upload_path . 'nric/' . $nricback_filename);
}
//Image decode, generate and upload
$dob = date("Y-m-d", strtotime($dob));
$student_pass_expiry = date("Y-m-d", strtotime($student_pass_expiry));
$register_date = date("Y-m-d");
$suspended = 0;
$status = '';
$from_source = 'ipad';
}
//Add to database
if (strlen($fullname) > 0 && strlen($email) > 0 && strlen($NRIC) > 0) {
Record::query('INSERT INTO ' . TABLE_PREFIX . 'employee (`employee_id`,`fullname`,`email`,`NRIC`,`passport_no`,`dob`,`pob`,`citizenship`,`gender`,`age`,`race`,`mobiletel`,`hometel`,`address`,`referee`,`educate_level`,`school`,`course`,`highest_educate`,`educate_from`,`educate_to`,`student_pass_expiry`,`contact_name`,`contact_mobiletel`,`contact_hometel`,`contact_relationship`,`contact_address`,`suspended`,`status`,`register_date`,`signature`,`profile_image`,`NRIC_front`,`NRIC_back`,`from_source`) VALUES("0","' . addslashes($fullname) . '","' . addslashes($email) . '","' . addslashes($NRIC) . '","' . addslashes($passport_no) . '","' . addslashes($dob) . '","' . addslashes($pob) . '","' . addslashes($citizenship) . '","' . addslashes($gender) . '","' . addslashes($age) . '","' . addslashes($race) . '","' . $mobiletel . '","' . addslashes($hometel) . '","' . addslashes($address) . '","' . addslashes($referee) . '","' . addslashes($educate_level) . '","' . addslashes($school) . '","' . addslashes($course) . '","' . addslashes($highest_educate) . '","' . addslashes($educate_from) . '","' . addslashes($educate_to) . '","' . addslashes($student_pass_expiry) . '","' . addslashes($contact_name) . '","' . addslashes($contact_mobiletel) . '","' . addslashes($contact_hometel) . '","' . addslashes($contact_relationship) . '","' . addslashes($contact_address) . '","' . $suspended . '","' . addslashes($status) . '","' . addslashes($register_date) . '","' . addslashes($signature_filename) . '","' . addslashes($profile_filename) . '","' . addslashes($nricfront_filename) . '","' . addslashes($nricback_filename) . '","' . $from_source . '")');
// $PDO = Record::getConnection();
// $last_id = $PDO->lastInsertId();
}
}
public function browse()
{
$this->_checkPermission();
$params = func_get_args();
$this->path = join('/', $params);
// make sure there's a / at the end
if (substr($this->path, -1, 1) != '/') {
$this->path .= '/';
}
$careers = Record::query('select * from ' . TABLE_PREFIX . 'career ORDER BY sequence asc, id desc');
$this->display('career/index', array('careers' => $careers));
}
<?php
if ($this->parent->id == 1) {
$isRoot = 1;
} else {
$isRoot = 0;
}
$oGallery = new Gallery();
$count = 0;
if ($isRoot == 1) {
// album cover
$albums = Record::query("select a.page_id, a.id, a.name as album_name from wolf_album a,wolf_page p where a.id=p.id AND a.status='1' group by a.id order by p.position asc");
} else {
// loop photos
$albums = Record::query("select a.page_id, a.id, a.name as album_name,g.* from wolf_gallery g inner join wolf_album a on a.id=g.album_id AND a.status='1' AND a.page_id='" . $this->id . "' where g.status='1' order by g.sequence asc, g.id desc");
}
while ($album = $albums->fetchObject()) {
$count++;
//Album cover
$cover = Record::findOneFrom("Gallery", "status='1' and album_id='" . $album->id . "' order by sequence asc LIMIT 1");
if ($isRoot == 1) {
$url = Page::urlById((int) $album->page_id);
$img_src = $cover->filename != "" ? URL_PUBLIC . 'public/gallery/images/' . $album->id . '/' . $cover->filename : THEME_PATH . 'js/gallery/broken_image.jpg';
echo '<div class="album-cover">
<div><a href="' . $url . '">
<img id="cover' . $album->id . '" src="' . $img_src . '" border=0>
</a></div>
<p>' . $album->album_name . '</p>
</div>
';
} else {
function backup()
{
$settings = Plugin::getAllSettings('backup_restore');
// All of the tablesnames that belong to Wolf CMS core.
$tablenames = array();
if (strpos(DB_DSN, 'mysql') !== false) {
$sql = 'show tables';
}
if (strpos(DB_DSN, 'sqlite') !== false) {
$sql = 'SELECT name FROM SQLITE_MASTER WHERE type="table" ORDER BY name';
}
if (strpos(DB_DSN, 'pgsql') !== false) {
$sql = "select tablename from pg_tables where schemaname='public'";
}
Record::logQuery($sql);
$pdo = Record::getConnection();
$result = $pdo->query($sql);
while ($col = $result->fetchColumn()) {
$tablenames[] = $col;
}
// All fields that should be wrapped as CDATA
$cdata_fields = array('title', 'content', 'content_html');
// Setup XML for backup
$xmltext = '<?xml version="1.0" encoding="UTF-8"?><wolfcms></wolfcms>';
$xmlobj = new SimpleXMLExtended($xmltext);
$xmlobj->addAttribute('version', CMS_VERSION);
// Retrieve all database information for placement in XML backup
global $__CMS_CONN__;
Record::connection($__CMS_CONN__);
// Generate XML file entry for each table
foreach ($tablenames as $tablename) {
$table = Record::query('SELECT * FROM ' . $tablename);
$child = $xmlobj->addChild($tablename . 's');
while ($entry = $table->fetch(PDO::FETCH_ASSOC)) {
$subchild = $child->addChild($tablename);
foreach ($entry as $key => $value) {
if ($key == 'password' && $settings['pwd'] === '0') {
$value = '';
}
if (in_array($key, $cdata_fields, true)) {
$valueChild = $subchild->addCData($key, $value);
} else {
$valueChild = $subchild->addChild($key, str_replace('&', '&', $value));
}
if ($value === null) {
$valueChild->addAttribute('null', true);
}
}
}
}
// Add XML files entries for all files in upload directory
if ($settings['backupfiles'] == '1') {
$dir = realpath(FILES_DIR);
$this->_backup_directory($xmlobj->addChild('files'), $dir, $dir);
}
// Create the XML file
$file = $xmlobj->asXML();
$filename = 'wolfcms-backup-' . date($settings['stamp']) . '.' . $settings['extension'];
// Offer a plain XML file or a zip file for download
if ($settings['zip'] == '1') {
// Create a note file
$note = "---[ NOTES for {$filename} ]---\n\n";
$note .= "This backup was created for a specific Wolf CMS version, please only restore it\n";
$note .= "on the same version.\n\n";
$note .= "When restoring a backup, upload the UNzipped XML backup file, not this zip file.\n\n";
$note .= 'Created on ' . date('Y-m-d') . ' at ' . date('H:i:s') . ' GTM ' . date('O') . ".\n";
$note .= 'Created with BackupRestore plugin version ' . BR_VERSION . "\n";
$note .= 'Created for Wolf CMS version ' . CMS_VERSION . "\n\n";
$note .= '---[ END NOTES ]---';
use_helper('Zip');
$zip = new Zip();
$zip->clear();
$zip->addFile($note, 'readme.txt');
$zip->addFile($file, $filename);
$zip->download($filename . '.zip');
} else {
header('Pragma: public');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: private', false);
header('Content-Type: text/xml; charset=UTF-8');
header('Content-Disposition: attachment; filename=' . $filename . ';');
header('Content-Transfer-Encoding: 8bit');
header('Content-Length: ' . strlen($file));
echo $file;
}
}
public function browse()
{
$this->_checkPermission();
$params = func_get_args();
$this->path = join('/', $params);
// make sure there's a / at the end
if (substr($this->path, -1, 1) != '/') {
$this->path .= '/';
}
//security
// we dont allow back link
if (strpos($this->path, '..') !== false) {
if (Plugin::isEnabled('statistics_api')) {
$user = null;
if (AuthUser::isLoggedIn()) {
$user = AuthUser::getUserName();
}
$ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
$event = array('event_type' => 'hack_attempt', 'description' => __('A possible hack attempt was detected.'), 'ipaddress' => $ip, 'username' => $user);
Observer::notify('stats_file_manager_hack_attempt', $event);
}
}
$this->fullpath = FILES_DIR . '/themes/promo/images/';
// clean up nicely
$this->fullpath = preg_replace('/\\/\\//', '/', $this->fullpath);
$newss = Record::query('select * from ' . TABLE_PREFIX . 'news ORDER BY type, sequence asc, id desc');
$this->display('news/index', array('dir' => $this->path, 'files' => $this->_getListFiles(), 'newss' => $newss));
}
public function findUsers($where = NULL, $orderby = NULL, $limit = 0, $offset = 0)
{
// FETCH WHERE DATA
$data = array("users" => array(), "roles" => array(), "status" => array(), "login" => array(), "register" => array(), "meta" => array());
$values = array();
if ($where !== NULL) {
foreach ($where as $key => $value) {
// GET USERS
if ($key === "users") {
if (is_string($value)) {
$value = array($value);
}
$count = 0;
$userquery = array();
foreach ($value as $column => $user) {
$column_name = false;
if (!is_numeric($column) && in_array(strtolower($column), array("id", "username", "name", "email"), true)) {
$column_name = strtolower($column);
}
if (!is_array($user)) {
$user = array($user);
}
foreach ($user as $val) {
$op = "OR";
$skip = "LIKE";
if (startsWith($val, "!")) {
$op = "AND";
$skip = "NOT LIKE";
$val = substr($val, 1);
}
if (empty($userquery)) {
if ($column_name === false) {
$userquery[] = "(user.id {$skip} :user{$count} {$op} user.name {$skip} :user{$count} {$op} user.email {$skip} :user{$count} {$op} user.username {$skip} :user{$count})";
} else {
$userquery[] = "(user.{$column_name} {$skip} :user{$count})";
}
} else {
if ($column_name === false) {
$userquery[] = " {$op} (user.id {$skip} :user{$count} {$op} user.name {$skip} :user{$count} {$op} user.email {$skip} :user{$count} {$op} user.username {$skip} :user{$count})";
} else {
$userquery[] = " {$op} (user.{$column_name} {$skip} :user{$count})";
}
}
$values[":user" . $count] = "%" . $val . "%";
$count++;
}
}
if (count($userquery) > 1) {
$data["users"][] = "(" . implode("", $userquery) . ")";
} else {
$data["users"][] = implode("", $userquery);
}
continue;
}
// GET ROLES
if ($key === "roles") {
if (is_string($value) && in_array($value, array(":norole", ":role"))) {
if ($value === ":role") {
$roleset = "LEFT";
$data["roles"][] = "(ur.role_id is NOT NULL)";
} else {
if ($value === ":norole") {
$roleset = "LEFT";
$data["roles"][] = "(ur.role_id is NULL)";
}
}
continue;
} else {
if (is_string($value)) {
$value = array($value);
}
$count = 0;
$rolequery = array();
foreach ($value as $role) {
$op = "OR";
$skip = "=";
if (startsWith($role, "!")) {
$op = "AND";
$skip = "!=";
$role = substr($role, 1);
}
if (empty($rolequery)) {
$rolequery[] = "(role.name {$skip} :role{$count})";
} else {
$rolequery[] = " {$op} (role.name {$skip} :role{$count})";
}
$values[":role" . $count] = $role;
$count++;
}
if (count($rolequery) > 1) {
$data["roles"][] = "(" . implode("", $rolequery) . ")";
} else {
$data["roles"][] = implode("", $rolequery);
}
$roleset = "INNER";
}
continue;
}
// GET STATUS
if ($key === "status") {
if (is_string($value)) {
$value = array($value);
}
foreach ($value as $status) {
if (in_array($status, array("activated", "pending", "blacklisted"))) {
$data["status"][] = $status;
}
}
continue;
}
// GET LOGIN RANGE
if ($key === "login" && is_array($value)) {
$login = array();
if (isset($value["from"])) {
$split = explode("-", $value["from"]);
if (count($split) == 3 && strlen($split[0]) === 4 && strlen($split[1]) === 2 && strlen($split[2]) === 2) {
$login[] = "user.last_login >= '" . implode("-", $split) . "'";
}
}
if (isset($value["until"])) {
$split = explode("-", $value["until"]);
if (count($split) == 3 && strlen($split[0]) === 4 && strlen($split[1]) === 2 && strlen($split[2]) === 2) {
$login[] = "user.last_login <= '" . implode("-", $split) . "'";
}
}
if (!empty($login)) {
$data["login"][] = "(" . implode(" AND ", $login) . ")";
}
continue;
}
// GET REGISTER RANGE
if ($key === "register" && is_array($value)) {
$register = array();
if (isset($value["from"])) {
$split = explode("-", $value["from"]);
if (count($split) == 3 && strlen($split[0]) === 4 && strlen($split[1]) === 2 && strlen($split[2]) === 2) {
$register[] = "user.created_on >= '" . implode("-", $split) . "'";
}
}
if (isset($value["until"])) {
$split = explode("-", $value["until"]);
if (count($split) == 3 && strlen($split[0]) === 4 && strlen($split[1]) === 2 && strlen($split[2]) === 2) {
$register[] = "user.created_on <= '" . implode("-", $split) . "'";
}
}
if (!empty($register)) {
$data["register"][] = "(" . implode(" AND ", $register) . ")";
}
continue;
}
// GET USER META
if ($key === "meta" && is_array($value)) {
$count = 0;
$metaquery = array();
foreach ($value as $mkey => $mvalue) {
$skip = "=";
if (startsWith($mvalue, "!")) {
$skip = "!=";
$mvalue = substr($mvalue, 1);
}
if (startsWith($mvalue, "<=")) {
$skip = "<=";
$mvalue = substr($mvalue, 2);
}
if (startsWith($mvalue, ">=")) {
$skip = ">=";
$mvalue = substr($mvalue, 2);
}
if (startsWith($mvalue, "<")) {
$skip = "<";
$mvalue = substr($mvalue, 1);
}
if (startsWith($mvalue, ">")) {
$skip = ">";
$mvalue = substr($mvalue, 1);
}
$op = "OR";
if (startsWith($mkey, "+")) {
$op = "AND";
$mkey = substr($mkey, 1);
}
if (startsWith($mkey, "-")) {
$op = "OR";
$mkey = substr($mkey, 1);
}
if (empty($metaquery)) {
$metaquery[] = "(meta.meta_key = :mkey{$count} AND meta.meta_value {$skip} :mvalue{$count})";
} else {
$metaquery[] = " {$op} (meta.meta_key = :mkey{$count} AND meta.meta_value {$skip} :mvalue{$count})";
}
$values[":mkey" . $count] = $mkey;
$values[":mvalue" . $count] = $mvalue;
$count++;
}
if (count($metaquery) > 1) {
$data["meta"][] = "(" . implode("", $metaquery) . ")";
} else {
$data["meta"][] = implode("", $metaquery);
}
continue;
}
}
}
$clause = array_merge($data["users"], $data["roles"], $data["login"], $data["register"], $data["meta"]);
$clause = !empty($clause) ? "WHERE " . implode(" AND ", $clause) : "";
// GET OTHER CLAUSEs
if (!empty($orderby)) {
if (is_string($orderby)) {
$orderby = array($orderby);
}
$orderby = "ORDER BY " . implode(", ", $orderby);
}
$limit = $limit > 0 ? "LIMIT " . $limit : "LIMIT 1000";
$offset = $offset > 0 ? "OFFSET " . $offset : "";
// BUILD QUERY
$query = "SELECT user.* FROM " . TABLE_PREFIX . "user AS user";
if (!empty($data["roles"])) {
$query .= " CROSS JOIN " . TABLE_PREFIX . "role AS role";
if (isset($roleset) && $roleset == "LEFT") {
$query .= " LEFT JOIN " . TABLE_PREFIX . "user_role AS ur ON (user.id=ur.user_id)";
} else {
$query .= " INNER JOIN " . TABLE_PREFIX . "user_role AS ur ON (user.id=ur.user_id AND role.id=ur.role_id)";
}
}
if (!empty($data["meta"])) {
$query .= " LEFT JOIN " . TABLE_PREFIX . "user_meta AS meta ON (user.id=meta.user_id)";
}
$query .= " {$clause} GROUP BY user.id, user.username {$orderby} {$limit} {$offset};";
$query = Record::query($query, $values);
// CLEAN DATA
$return = array();
foreach ($query as $line) {
// DELETE PRIVATE STUFF
unset($line->password);
unset($line->blowfish);
unset($line->salt);
// GET STATUS
if ($this->isLocked($line->id)) {
$line->status = "blacklisted";
} else {
if ($this->isActivated($line->id)) {
$line->status = "activated";
} else {
$line->status = "pending";
}
}
if (!empty($data["status"])) {
if (!in_array($line->status, $data["status"])) {
continue;
}
}
// ADD
$return[] = $line;
}
return $return;
}
public function browse()
{
$this->_checkPermission();
$params = func_get_args();
$this->path = join('/', $params);
// make sure there's a / at the end
if (substr($this->path, -1, 1) != '/') {
$this->path .= '/';
}
//security
// we dont allow back link
if (strpos($this->path, '..') !== false) {
if (Plugin::isEnabled('statistics_api')) {
$user = null;
if (AuthUser::isLoggedIn()) {
$user = AuthUser::getUserName();
}
$ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
$event = array('event_type' => 'hack_attempt', 'description' => __('A possible hack attempt was detected.'), 'ipaddress' => $ip, 'username' => $user);
Observer::notify('stats_file_manager_hack_attempt', $event);
}
}
$this->display('testimonial/index', array('testimonials' => Record::query('select * from ' . TABLE_PREFIX . 'testimonial ORDER BY ' . TABLE_PREFIX . 'testimonial.sequence, ' . TABLE_PREFIX . 'testimonial.id desc'), 'pages' => Record::findAllFrom('Page', 'parent_id=1 order by parent_id,position')));
}
function backup()
{
$settings = Plugin::getAllSettings('backup_restore');
// All of the tablesnames that belong to Fresh CMS core.
$tablenames = array('layout', 'page', 'page_part', 'page_tag', 'permission', 'plugin_settings', 'setting', 'snippet', 'tag', 'user', 'user_permission');
// All fields that should be wrapped as CDATA
$cdata_fields = array('content', 'content_html');
// Setup XML for backup
$xmltext = '<?xml version="1.0" encoding="UTF-8"?><freshcms></freshcms>';
$xmlobj = new SimpleXMLExtended($xmltext);
$xmlobj->addAttribute('version', CMS_VERSION);
// Retrieve all database information for placement in XML backup
global $__CMS_CONN__;
Record::connection($__CMS_CONN__);
$lasttable = '';
// Generate XML file entry for each table
foreach ($tablenames as $tablename) {
$table = Record::query('SELECT * FROM ' . TABLE_PREFIX . $tablename);
while ($entry = $table->fetchObject()) {
if ($lasttable !== $tablename) {
$lasttable = $tablename;
$child = $xmlobj->addChild($tablename . 's');
}
$subchild = $child->addChild($tablename);
while (list($key, $value) = each($entry)) {
if ($key === 'password' && $settings['pwd'] === '0') {
$value = '';
}
if (in_array($key, $cdata_fields, true)) {
$subchild->addCData($key, $value);
} else {
$subchild->addChild($key, $value);
}
}
}
}
// Create the XML file
$file = $xmlobj->asXML();
$filename = 'freshcms-backup-' . date($settings['stamp']);
// Offer a plain XML file or a zip file for download
if ($settings['zip'] == '1') {
// Create a note file
$note = "---[ NOTES for {$filename}.xml ]---\n\n";
$note .= "This backup was created for a specific Fresh CMS version, please only restore it\n";
$note .= "on the same version.\n\n";
$note .= "When restoring a backup, upload the UNzipped XML file, not this zip file.\n\n";
$note .= 'Created on ' . date('Y-m-d') . ' at ' . date('H:i:s') . ' GTM ' . date('O') . ".\n";
$note .= 'Created with BackupRestore plugin version ' . BR_VERSION . "\n";
$note .= 'Created for Fresh CMS version ' . CMS_VERSION . "\n\n";
$note .= '---[ END NOTES ]---';
use_helper('Zip');
$zip = new Zip();
$zip->clear();
$zip->addFile($note, 'readme.txt');
$zip->addFile($file, $filename . '.xml');
$zip->download($filename . '.zip');
} else {
header('Pragma: public');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: private', false);
header('Content-Type: text/xml; charset=UTF-8');
header('Content-Disposition: attachment; filename=' . $filename . '.xml;');
header('Content-Transfer-Encoding: 8bit');
header('Content-Length: ' . strlen($file));
echo $file;
}
}
public function edit_upload($id)
{
$this->_checkPermission();
$data = $_POST['upload'];
$path = str_replace('..', '', $data['path']);
$overwrite = isset($data['overwrite']) ? true : false;
$overwrite = true;
if (isset($_FILES)) {
if (!empty($_FILES['upload_file']['name']) && !file_exists(FILES_DIR . '/about/' . $_FILES['upload_file']['tmp_name'])) {
//Remove existing image
$exist_abouts = Record::query('Select filename from ' . TABLE_PREFIX . 'about where id="' . $id . '"');
$exist_about = $exist_abouts->fetchObject();
$old_file_name = $exist_about->filename;
if (file_exists(FILES_DIR . '/about/' . $old_file_name) && $old_file_name != "") {
unlink(FILES_DIR . '/about/' . $old_file_name);
}
$file = $this->edit_upload_file($_FILES['upload_file']['name'], FILES_DIR . '/about/', $_FILES['upload_file']['tmp_name'], $overwrite, $id);
if ($file === false) {
Flash::set('error', __('File has not been uploaded!'));
}
}
}
}
public function hasPermission($permission, $data = NULL)
{
global $pawUsers;
// CHECK IF PERMISSION EXIST
if (empty($permission) || !is_string($permission)) {
return false;
}
$permission = paw_xss_cleaner($permission);
$query = "SELECT * FROM " . TABLE_PREFIX . "permission WHERE name=:name";
$query = Record::query($query, array(":name" => $permission));
if (empty($query)) {
return false;
}
if ($data === false) {
return true;
}
$permission = $query[0]->id;
// GET USER
if ($data === NULL) {
$data = $pawUsers->getCurrentUserID();
}
$user = $pawUsers->getUser($data);
if ($user === false) {
return false;
}
// CHECK IF THE USER HAS THE PERMISSION
$query = "SELECT ur.user_id AS id FROM " . TABLE_PREFIX . "user_role AS ur\n\t\t\t\tLEFT JOIN " . TABLE_PREFIX . "role_permission AS rp ON (ur.role_id = rp.role_id) \n\t\t\t\tWHERE ur.user_id=:user AND rp.permission_id=:perm;";
$query = Record::query($query, array(":user" => $user->id, ":perm" => $permission));
if (!empty($query) && isset($query[0])) {
return true;
}
return false;
}
<?php
error_reporting(E_ALL);
if (isset($_GET['page']) && $_GET['page'] !== "") {
$page = $_GET['page'];
}
if (isset($_GET['album']) && $_GET['album'] !== "") {
$album = $_GET['album'];
}
if (isset($page)) {
$sql = "SELECT * FROM wolf_ssp WHERE page_id=" . $page;
$query = Record::query($sql);
if ($result = $query->fetch()) {
$id = $result['id'];
$slideshow = new SSP_Slideshow($id);
} else {
$slideshow = new SSP_Slideshow();
$slideshow->page_id = $page;
$slideshow->id = 0;
$slideshow->elid = 'preview';
}
if (isset($album)) {
$slideshow->aid = $album;
}
if (isset($slideshow->aid)) {
$json = $slideshow->preview_json();
} else {
// no album selected
$json = '{ "slides":"<h3>PREVIEW</h3><h4>(select an album)</h4>"}';
}
} else {
function savesettings()
{
if (!isset($_POST["settings"]) || !isset($_POST["settings"]["action"])) {
Flash::set("error", __("Could not save settings, no settings found."));
} else {
$action = $_POST["settings"]["action"];
if ($action == "theme") {
$themes = array_keys(Setting::getThemes());
if (in_array($_POST["settings"]["theme"], $themes)) {
$sql = "UPDATE " . TABLE_PREFIX . "setting SET value=:theme WHERE name='theme';";
Record::query($sql, array(":theme" => $_POST["settings"]["theme"]));
Flash::set("success", __("The settings have been saved."));
} else {
Flash::set("error", __("An error occured trying to save the settings."));
}
} else {
if ($action == "reset") {
// RESET SETTINGS
$settings = array("fox" => array("color" => "color.fox.css"), "wordpress-3.8" => array("color" => "default.css", "sidebar_width" => 180), "wint" => array("color" => "default.css", "sidebar_width" => 200, "responsive" => true));
$settings = $settings[$this->theme];
} else {
// VALIDATE SETTINGS
if (isset($_POST["settings"]["color"])) {
$colors = array_keys($this->getColors());
if (in_array($_POST["settings"]["color"], $colors)) {
$settings["color"] = $_POST["settings"]["color"];
}
}
if (isset($_POST["settings"]["sidebar_width"])) {
if (is_numeric($_POST["settings"]["sidebar_width"])) {
$settings["sidebar_width"] = (int) $_POST["settings"]["sidebar_width"];
}
}
if (isset($_POST["settings"]["responsive"])) {
$settings["responsive"] = true;
} else {
if ($this->theme == "wint") {
$settings["responsive"] = false;
}
}
}
// SET SETTINGS
if (isset($settings)) {
$insert = array();
$insert[$this->theme] = serialize($settings);
$settings = Plugin::setAllSettings($insert, "themer");
} else {
$settings = false;
}
if ($settings === true) {
Flash::set("success", __("The settings have been saved."));
} else {
Flash::set("error", __("An error occured trying to save the settings."));
}
}
}
redirect(get_url("plugin/themer/settings"));
die;
}